Security Vulnerabilities - CVEs Published In March 2022
Xiaohuanxiong v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /app/controller/Books.php.
CVSS Score
9.8
EPSS Score
0.009
Published
2022-03-28
74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php.
CVSS Score
7.5
EPSS Score
0.046
Published
2022-03-28
ImpressCMS before 1.4.3 has Incorrect Access Control because include/findusers.php allows access by unauthenticated attackers (who are, by design, able to have a security token).
CVSS Score
5.3
EPSS Score
0.108
Published
2022-03-28
ImpressCMS before 1.4.3 allows include/findusers.php groups SQL Injection.
CVSS Score
9.8
EPSS Score
0.194
Published
2022-03-28
ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==).
CVSS Score
9.8
EPSS Score
0.055
Published
2022-03-28
ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal.
CVSS Score
8.1
EPSS Score
0.032
Published
2022-03-28
Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column.
CVSS Score
9.8
EPSS Score
0.017
Published
2022-03-28
CVE-2022-26258
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.
Known exploited
CVSS Score
9.8
EPSS Score
0.812
Published
2022-03-28
In DLink DAP-1360 F1 firmware version <=v6.10 in the "webupg" binary, an attacker can use the "file" parameter to execute arbitrary system commands when the parameter is "name=deleteFile" after being authorized.
CVSS Score
9.8
EPSS Score
0.033
Published
2022-03-27
WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovered to contain an access control issue which allows unauthenticated attackers to arbitrarily change group ID names.
CVSS Score
5.3
EPSS Score
0.008
Published
2022-03-27